Pricing Engine

动态定价引擎 — 根据 LME 铜价、数量阶梯、客户等级、实时汇率自动计算报价，集成 quotation-workflow 生成报价单

What to check before installing / running this skill: - Confirm environment variables and secrets: the registry claims no required env vars, but SKILL.md and the code expect DRY_RUN, PRICING_LOG, COPPER_LOG, CACHE_TTL_MS and optionally PRICE_HISTORY_FILE. Decide values for these and set them explicitly in a safe environment (e.g., DRY_RUN=true for initial testing). - Verify Discord/notification mechanism: the margin rules reference sending Discord notifications on low-price triggers, but no webhook/token is declared. Search the rest of pricing-engine.js (the truncated part) for any code that sends messages and confirm where credentials come from (env var, platform secret, or omitted). Do not run in production until you understand where notifications are sent and how they authenticate. - Review external file access: copper-price-adapter reads a relative path ../../../copper-price-monitor/output. Make sure that directory is intentional and contains trusted data; otherwise the adapter could read unexpected files. If you don't run copper-price-monitor, test with DRY_RUN mode. - Audit network calls: the exchange-rate module fetches from https://open.er-api.com. If your security policy restricts external API calls, run with DRY_RUN or block outbound HTTPS during testing. - Inspect remaining code for side effects: the manifest shows truncated files; review the rest of pricing-engine.js and quotation-integration.js for any network calls, exec/spawn of shell scripts, or hardcoded endpoints. In particular, check for any code that would post data externally (beyond open.er-api.com) or execute scripts outside the skill directory (quotation-workflow integration references scripts/generate-all.sh and a Python script in a different repo). - Run in a sandbox first: execute with DRY_RUN=true, PRICING_LOG=false, and PRICE_HISTORY_FILE pointed to a temporary path. Verify outputs, where files are written, and whether any unexpected external requests occur. If the author can confirm (a) a list of required env vars in registry metadata, (b) how notifications (Discord) are authenticated (which env var or integration), and (c) that no other external endpoints are contacted, the remaining concerns would be reduced.

Type: OpenClaw Skill Name: ssa-pricing-engine Version: 1.0.0 The skill implements a complex pricing engine that utilizes several high-risk capabilities, including outbound network requests to an external exchange rate API (open.er-api.com) in 'exchange-rate.js' and the use of 'execSync' to execute shell commands (invoking Python and Google Chrome) for PDF generation in 'quotation-integration.js'. It also performs cross-directory file system access to read data from a sibling skill ('copper-price-monitor'). While these behaviors are functionally aligned with the stated purpose of calculating prices and generating quotation documents, the use of shell execution and external API interaction represents a significant attack surface for potential exploitation or unauthorized data access.